Getting and enforcing a service level agreement is paramount when employing cloud services – that was the chief conclusion reached in a report out this week by the federal watchdogs at the Government Accountability Office.

“Purchasing IT services through a provider enables agencies to avoid paying for all the assets such as hardware, software and networks that would typically be needed to provide such services.

This approach offers federal agencies a means to buy the services faster and possibly cheaper than through the traditional methods they have used. To take advantage of these potential benefits, agencies have reported that they plan to spend more than $2 billion on cloud computing services in fiscal year 2016,” the GAO stated.

In the process of developing the report the GAO came up with ten key practices for such SLAs that are relevant to federal and private users.

1.Specify roles and responsibilities of all parties with respect to the SLA, and, at a minimum, include agency and cloud providers. These definitions would include, for example, the persons responsible for oversight of the contract, audit, performance management, maintenance, and security. Define key terms, including activation date, performance, and identify any ambiguities in the definitions of cloud computing terms.

2.Define key terms, such as dates and performance. Define the performance measures of the cloud service, including who is responsible for measuring performance. These measures would include, among other things, the availability of the cloud service; the number of users that can access the cloud at any given time; and the response time for processing a customer transaction.

3.Define clear measures for performance by the contractor. Include which party is responsible for measuring performance. Examples of such measures would include:

•Level of service (e.g., service availability—duration the service is to be available to the agency).

•Capacity and capability of cloud service (e.g., maximum number of users that can access the cloud at one time and ability of provider to expand services to more users).

•Response time (e.g., how quickly cloud service provider systems process a transaction entered by the customer, response time for responding to service outages).

4. Specify how and when the agency has access to its own data and networks. This includes how data and networks are to be managed and maintained throughout the duration of the SLA and transitioned back to the agency in case of exit/termination of service.

5.Specify the following service management requirements:

•How the cloud service provider will monitor performance and report results to the agency.

•When and how the agency, via an audit, is to confirm performance of the cloud service provider.

6. Provide for disaster recovery and continuity of operations planning and testing, including how and when the cloud service provider is to report such failures and outages to the agency. In addition, how the provider will remediate such situations and mitigate the risks of such problems from recurring.

7. Describe any applicable exception criteria when the cloud provider’s performance measures do not apply (e.g., during scheduled maintenance or updates).

8. Specify metrics the cloud provider must meet in order to show it is meeting the agency’s security performance requirements for protecting data (e.g., clearly define who has access to the data and the protections in place to protect the agency’s data). Specify the security performance requirements that the service provider is to meet. This would include describing security performance metrics for protecting data, such as data reliability, data preservation, and data privacy. Cleary define the access rights of the cloud service provider and the agency as well as their respective responsibilities for securing the data, applications, and processes to meet all federal requirements. Describe what would constitute a breach of security and how and when the service provider is to notify the agency when the requirements are not being met.

9. Specifies performance requirements and attributes defining how and when the cloud service provider is to notify the agency when security requirements are not being met (e.g., when there is a data breach).

10.Specify a range of enforceable consequences, such as penalties, for non-compliance with SLA performance measures. Identify how such enforcement mechanisms would be imposed or exercised by the agency.Without penalties and remedies, the agency may lack leverage to enforce compliance with contract terms when situations arise.